A broadcast encryption is a type of encryption in which the same ciphertext is received by a plurality of receivers having secret keys different from each other, and decryption thereof results in the same plaintext.
As a method for disabling an arbitrary member according to a conventional broadcast encryption, there is provided broad cast encryption described in Dan Boneh, Craig Gentry, Brent Waters: Collusion Resistant Broadcast Encryption With Short Ciphertexts and Private Keys, Advances in Cryptology—CRYPTO 2005: 25th Annual International Cryptology Conference, Santa Barbara, Calif., USA, Aug. 14-18, 2005, Proceeding. Lecture Notes in Computer Science 3621 Springer 2005, ISBN 3-540-28114-2, pp. 258-275. This method can generate a ciphertext which can be correctly decrypted only by members belonging to an arbitrary set of initially determined members. A brief description will be given of this type of encryption.
FIG. 11 is a block diagram illustrating an example of a configuration of the conventional broadcast encryption.
A broadcast encryption 100 illustrated in FIG. 11 is intended to be used by an administrator, a ciphertext generator, and a large number of ciphertext receivers. Then, the broadcast encryption 100 includes a setting algorithm 105, an encryption algorithm 108, and a decryption algorithm 110. Processing of those algorithms is carried out respectively by information processing devices corresponding to the respective algorithms.
The administrator uses the setting algorithm 105 to generate a public key 106, and individual secret keys 107 for all the ciphertext receivers (namely, to generate a set of the secret keys for all the ciphertext receivers), and secretly passes the secret keys to the respective ciphertext receivers.
The ciphertext generator determines a message 111 and a set 103 of the ciphertext receivers (distribution member set) to which the message 111 is to be distributed. Then, the ciphertext generator uses the encryption algorithm 108 to generate a broadcast ciphertext 109 from the message 111, the public key 106, and data representing the set 103 of intended receivers of distribution, and broadcasts the generated broadcast ciphertext 109 to all the receivers. It should be noted that the ciphertext 109 includes a description of the receivers who are authorized to carry out the decryption.
While all the receivers receive the ciphertext 109, the receiver decrypts the message in the following way only when the ciphertext describes this receiver as an authorized receiver. The receiver uses the decryption algorithm 110 to restore the message 111 based on the secret key 107 passed to the receiver and the received ciphertext 109 (this ciphertext includes a description of the receivers who are authorized to carry out the decryption).
On the other hand, as a method for tracing unauthorized person employing the conventional broadcast encryption, there is a method for tracing unauthorized person described in Dan Boneh, Amit Sahai, Brent Waters: Fully Collusion Resistant Traitor Tracing With Short Ciphertexts and Private Keys, Advances in Cryptology-EUROCRYPT 2006, Proceedings. Lecture Notes in Computer Science Springer 2006, available on the Internet at URL: http://eprint.iacr.org/2006/045. According to this method, even when members belonging to an arbitrary set of initially determined members get together bringing own secret keys and illicitly duplicate a pirated version of a decryption device, it is possible to, based on this device, identify at least one member who has involved in the production of the pirated version. Especially, in order to identify this member, without necessity of directly investigating a circuit or a program code of the pirated decryption device, it is enough to enter a ciphertext and then to observer the output thereof. A brief description will be given of this type of encryption.
FIG. 12 is a block diagram illustrating another example of a configuration of the conventional broadcast encryption. As illustrated in FIG. 12, a broadcast encryption 200 is intended to be used by an administrator, a ciphertext generator, a large number of ciphertext receivers, and a tracer for unauthorized person. Then, the broadcast encryption 200 includes a setting algorithm 203, an encryption algorithm 208, a decryption algorithm 210, and an algorithm of black box type for tracing unauthorized person 212. It should be noted that processing of the respective algorithms is carried out by an information processing device.
The administrator uses the setting algorithm 203 to generate a public key 204, and individual secret keys 205 for all the ciphertext receivers (namely, to generate a set of the secret keys for all the ciphertext receivers), and secretly passes the secret keys 205 to the respective ciphertext receivers. Moreover, the administrator generates a trace key 206, and gives the algorithm of black box type for tracing unauthorized person 212 the trace key 206.
The ciphertext generator uses the encryption algorithm 208 to generate a broadcast ciphertext 209 from a message 211 and the public key 204, and broadcasts the generated broadcast ciphertext 209 to all the receivers. It should be noted that all the receivers can decrypt this ciphertext 209. The receiver uses the decryption algorithm 210 to restore the message 211 based on the secret key 205 passed to this receiver and the received ciphertext 209.
A case in which a receiver uses the own secret key to illicitly produce a decryption device incorporating the decryption algorithm or a program for the decryption, and passes the produced decryption device or program to another person will now be considered. In the following section, this program or device is referred to as a pirated version.
The tracer for unauthorized person wants to obtain the pirated version, and then to find the unauthorized person who illicitly used the own secret key. However, the tracer for unauthorized person avoids complicated operation such as analyzing the program itself.
The algorithm of black box type for tracing unauthorized person 212 uses the trace key 206 to produce a plurality of special ciphertexts designed to trace the unauthorized person, and sequentially inputs them as ciphertexts to the pirated version. The pirated version tries to decrypt the ciphertexts. However, those special ciphertexts are designed such that a result of the decryption thereof is dependent on the secret key(s) 205 used for the decryption. Therefor, analysis of the result of the decryption enables identification of the receiver who has illicitly disclosed the secret key.